US9703720B2ActiveUtilityPatentIndex 73
Method and apparatus to allow secure guest access to extended page tables
Est. expiryDec 23, 2034(~8.5 yrs left)· nominal 20-yr term from priority
Inventors:ZMUDZINSKI KRYSTOF C
G06F 12/1475G06F 12/1036G06F 12/145G06F 9/45558G06F 2212/657G06F 12/1009G06F 2009/45587G06F 2212/1052G06F 2009/45583
73
PatentIndex Score
3
Cited by
18
References
24
Claims
Abstract
An apparatus and method for efficient guest EPT manipulation. For example, one embodiment of a apparatus comprises: a hypervisor to create extended page table (EPT) mappings between a guest physical address (GPA) space and a host physical address (HPA) space; the hypervisor to create an EPT edit table and populate the EPT edit table with information related to permitted mappings between the GPA space and HPA space; a guest to read the EPT edit table to determine information related to the permitted mappings between the GPA space and HPA space, the guest to use the information to map one or more pages in the GPA space to one or more pages in the HPA space.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. An apparatus comprising:
a hypervisor to create extended page table (EPT) mappings between a guest physical address (GPA) space and a host physical address (HPA) space;
the hypervisor to create an EPT edit table and to populate the EPT edit table with information related to permitted mappings between the GPA space and HPA space;
a guest to read the EPT edit table to determine the information related to the permitted mappings between the GPA space and HPA space, the guest to use the information to map one or more pages in the GPA space to one or more pages in the HPA space.
2. The apparatus as in claim 1 wherein, when performing the EPT mappings, the hypervisor is to maintain leaf EPTs in a contiguous physical memory region.
3. The apparatus as in claim 1 wherein to determine the information related to the permitted mappings between the GPA space and the HPA space within the EPT edit table, the guest is to execute a CPUID instruction.
4. The apparatus as in claim 3 wherein to use the information to map one or more pages in the GPA space to one or more pages in the HPA space, the guest is to execute a VMFUNC instruction.
5. The apparatus as in claim 1 wherein the information related to the permitted mappings between the GPA space and HPA space determined from the EPT edit table comprises a start and size of the GPA space and a start and the size of the HPA space.
6. The apparatus as in claim 1 wherein the EPT edit table comprises a plurality of entries, each entry including one or more of: a leaf EPT start address, a leaf EPT size, a GPA start space, a GPA size, an HPA start address, an HPA size, and access permissions.
7. The apparatus as in claim 6 wherein the access permissions comprise read, write and execute permissions.
8. The apparatus as in claim 1 further comprising:
a virtual machine control structure (VMCS) to store control data related to the guest.
9. The apparatus as in claim 8 wherein the hypervisor is to store an EPT edit table pointer within the VMCS comprising an address of a page allocated to the guest by the hypervisor.
10. The apparatus as in claim 9 wherein the page comprises a 4 kB page.
11. The apparatus as in claim 1 wherein the guest executes an instruction using registers EAX=1, ECX=x, EBX=y, and EDX=z to map a GPA space page to an HPA space page, where at least a portion of x identifies an entry in the EPT edit table, at least a portion of y indicates a page number in the GPA space, and at least a portion of z indicates a page number in the HPA space.
12. The apparatus as in claim 11 wherein at least a portion of x further indicates access permissions.
13. A method comprising:
creating extended page table (EPT) mappings between a guest physical address (GPA) space and a host physical address (HPA) space;
creating an EPT edit table and populating the EPT edit table with information related to permitted mappings between the GPA space and HPA space;
reading by a guest the EPT edit table to determine the information related to the permitted mappings between the GPA space and HPA space,
using the information by the guest to map one or more pages in the GPA space to one or more pages in the HPA space.
14. The method as in claim 13 further comprising keeping leaf EPTs in a contiguous physical memory region when creating the EPT mappings.
15. The method as in claim 13 wherein to determine the information related to the permitted mappings between the GPA space and the HPA space within the EPT edit table, the guest is to execute a CPUID instruction.
16. The method as in claim 15 wherein to use the information to map one or more pages in the GPA space to one or more pages in the HPA space, the guest is to execute a VMFUNC instruction.
17. The method as in claim 13 wherein the information related to the permitted mappings between the GPA space and HPA space determined from the EPT edit table comprises a start and size of the GPA space and a start and the size of the HPA space.
18. The method as in claim 13 wherein the EPT edit table comprises a plurality of entries, each entry including one or more of: a leaf EPT start address, a leaf EPT size, a GPA start space, a GPA size, an HPA start address, an HPA size, and access permissions.
19. The method as in claim 18 wherein the access permissions comprise read, write and execute permissions.
20. The method as in claim 13 further comprising:
storing control data related to the guest in a virtual machine control structure (VMCS).
21. The method as in claim 20 wherein the control data includes an EPT edit table pointer comprising an address of a page allocated to the guest.
22. The method as in claim 21 wherein the page comprises a 4 kB page.
23. The method as in claim 13 wherein the guest executes an instruction using registers EAX=1, ECX=x, EBX=y, and EDX=z to map a GPA space page to an HPA space page, where at least a portion of x identifies an entry in the EPT edit table, at least a portion of y indicates a page number in the GPA space, and at least a portion of z indicates a page number in the HPA space.
24. The method as in claim 23 wherein at least a portion of x further indicates access permissions.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.